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Abstract. We propose a new method for constructing small- bias spaces 

through a combination of Hermitian codes. For a class of parameters 

■^r ' our multisets are much faster to construct than what can be achieved 

by use of the traditional algebraic geometric code construction. So, if 

speed is important, our construction is competitive with all other known 

C^ I constructions in that region. And if speed is not a matter of interest the 

small-bias spaces of the present paper still perform better than the ones 
related to norm-trace codes reported in [I2j . 

Keywords. Small-bias space, balanced code, Grobner basis, Hermitian 
code. 

0^ ! 1 Introduction 

■^ 

^—i I Let X = {Xi, . . . ,Xk) be a random vector that takes on values in F2. 

^ ' As shown by Vazirani [T7| the variables Xi, . . . , X^ are independent and 

^vq . uniformly distributed if and only if 

Prob ( >JX, = ) = Prob ( >JX, = 1 J = ^ (1) 





holds for every non-empty set of indexes T C {1, . . . , A;}. In particular, 
if ([I]) is to hold for a space X C^ ¥2 then necessarily X must be equal 
to Fg. There is a need for much smaller spaces A:" C F2 with statistical 
properties close to that of ([1]). In the following by a space we will mean a 
multiset X with elements from F2 (this we write X C Fg). The multiset 
X is made into a probability space by adjoining to each element x & X 
the probability p{x) = i{x)/\X\ where i{x) denotes the number of times 
X appears in Af. As a measure for describing how close a given space X 
is to the above situation with respect to randomization, Naor and Naor 
[15], and Alon et. al. [Ij introduced the concept of e-biasness Q^ Def. 3]. 
(See also [Mj). 



Definition 1. A multiset Af C F^ is called an e-bias space if 
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1^ 
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xex 



< e 



(2) 



holds for every non-empty index set T C {1, . . . , /c}. 



Clearly, the e in Definition [T] can be taken to be a number between and 1. 
Good randomization properties are achieved when e is close to as ([2]) be- 
comes ([T|) when e = 0. Multisets with e small are called small-bias spaces. 
They are useful as sample spaces in applications such as automated the- 
orem proving, derandomization of algorithms, program verification, and 
testing of combinatorial circuits. Rather than saying that a multiset is an 
e-bias space we will often just say that it is e-biased. Another name for 
e-bias space is e-bias set [2| Def. 1] and |121 Def. 1.1]. This notion may be 
a little misleading as the item under consideration is actually a multiset. 
One way of constructing small-bias spaces is through the use of error- 
correcting codes. 

Definition 2. A binary [n, k] code is said to be e-balanced if every non- 
zero code word c satisfies 



1 



_e ^ vuHJc) ^ 1 + e 



/ n 2 

Here \n,k] means that the code is linear, of dimension k and length n. 
Further, wh denotes the Hamming weight. 

There is a simple direct translation [T] between the concepts described in 
Definition [1] and Definition [2) 

Theorem 1. Let G be a generator matrix for an e-balanced binary [n,k] 
code. The columns of G constitute an e-bias space A' C F2 of size n. Sim- 
ilarly, using the elements of an e-bias space X as columns of a generator 
matrix an e-balanced code is derived. 

The following example illustrates the above theorem. It also shows why 
it is important in Definition [1] to work with multisets rather than sets. 

Example 1. Consider the matrix 



G 



010101010000 
0011001 10000 
1111111 10000 



The code having G as a generator matrix is e-balanced with e = 1/3 
and indeed the multiset made from the columns of G is e = 1/3 biased. 
Treating the columns as a set (rather than a multiset) we derive 

X' = {(0, 0, 1), (1, 0, 1), (0, 1, 1), (1, 1, 1), (0, 0, 0)}. 

The smallest value of e for which X' is e-biased is e = 3/5. 

A standard construction from [1] tells us how to make small-balanced 
codes (meaning e-biased codes with e small): 

Theorem 2. Let q = 2^ for some integer s and consider a q-ary [N, K, D] 
code C. Let Cg he the (binary) [2*,s]2 Walsh- Hadamard code, s > 1. The 
concatenated code derived by using C as outer code and Cg as inner code is 
an e = (N — D) / N -balanced binary code of length n = N2^ and dimension 
k = Ks. 

Proof. The result relies on the fact that every non-zero codeword of Cg 
contains exactly as many Os as Is. 

The literature contains various examples of small-bias spaces that cannot 
all be compared to each other. We refer to [21 Sec. 1] for more details. 
In the following we will concentrate on important families of multisets 
for which comparison can be made. We remind the reader of how bigO 
notation works when given functions of multiple variables. In our situation 
we have real valued positive functions fi{x,y),i = 1,2 where x can take 
on any value in Z"^ but for every fixed choice of x the variable y can only 
take on values in an interval I{x) C M+. By fi(x,y) = O {f2{x,y)) we 
mean that a witness (C, k) exists such that for all x with k < x and all 
y G I{x) it holds that fi{x,y) < Cf2{x,y). We are interested in upper 
bounding the size of X which will be done in terms of bigO estimates as 
above. At the same time we are interested in lower bounding the length of 
the words in the multiset X. Such estimates are described using bigOmega 
notation. We remind the reader that by definition f{x) = Q{g{x)) if and 
only if g{x) = O (/(x)). As we are only interested in bigOmega estimates 
the meaning of k changes accordingly. We have the following results: 

— Using Reed-Solomon codes as outer codes in Theorem [2] one achieves 
|l|2j for all possible choices of e and k 



X Cl¥^^^\ \x\ = o 



k 



2 



This is called the RS-bound. 



— Let Pi, ... , PjKf-i, Q be rational places of an algebraic function field 
over ¥q and denote by g the genus. Assume M = (y^ — l)g. That is, 
we assume that the function field attains the Drinfeld-Vladut bound. 
Using codes Cc{U = Pi + ■ ■ ■ + Pj\f-i,mQ) with g < m as outer codes 
one gets for all e and k (see Section [2] for a discussion) 

XCF?'\ \X\ = o( 3 ^ 

Ve^log(l/e) 

This result which is in the folklore is known as the AG-bound. 

— Using Hermitian codes with m < g as outer codes one achieves [2] for 
e > A;~2 

This we call the BT-bound after the authors of [2j, Ben-Aroya and 
Ta-Shma. 

— Using in larger generality Norm- Trace codes of low dimension as outer 

i_ 

codes one achieves [12] for / = 4, 5, . . . and t> k ^ (see Section [5]) 



X (^¥^^^\ \X\=0 






e'-v^log(l/e) 



Here, I = 4 corresponds to the Hermitian case described in [2]. 
The Gilbert- Varshamov bound also applies to the small-bias spaces 
(as usual in a non-constructive way). It is derived by plugging into 
the Gilbert- Varshamov bound for binary codes d = n/2 and to make 
a Taylor approximation on the resulting formula. The construction 
uses Theorem [1] directly. It guarantees for all e and k the existence of 
multisets with 

X <Z¥^^^\ \x\=o(^ 

The linear programming bound tells us that we cannot hope to pro- 
duce e-bias spaces with 



XC¥'^\ \X\=0 



■2 



e2log(l/e) 



One way of comparing the above results is to choose e = A;~", a G M"*" and 
then to take the logarithm with base k. The bigO notation suggests that 
we then let k go to infinity. The origin of this point of view is [2, Sec. 1]. 



When making the above operation we must be careful to specify which 
choices of a are allowed. We remind the reader of the little-o notation. 
Given functions fi{x) : Z+ — )• M+,i = 1,2 by fi{x) = o(/2(x)) we mean 
that for every choice of c G M"*" there exists a k(c) G Z^" such that when 
k{c) < X then necessarily /i(x) < c/2(x). We have: 

— RS-bound: The family of concatenated codes from Theorem [2] with 
Reed-Solomon codes as outer codes gives 

logfc(|Af|) = 2 + 2a + o(l) 

for all choices of a G M^. 

— AG-bound: The family of concatenated codes from Theorem [2] with 
algebraic geometric codes as outer codes and g < m gives 

logfc(|Af|) = l + 3Q + o(l) 

for all choices of a G M+. 

— BT-bound: The family of concatenated codes from Theorem [2] with 
Hermitian codes as outer codes and m < g gives 

log.(|A'|) = ^ + ^a + o(l) 

for all choices of a G]1/2, oo[. 

— The family of concatenated codes from norm-trace codes of low di- 
mension gives 

\og,{\X\) = ^-^{l + a{l-Vl)) + o{l) 

for Z = 4, 5, . . ., and for all a G [l/v7, oo[ (see Section [5]). 

— The Gilbert- Varshamov bound and the Linear Programming bound 
in combination tell us that we can achieve 

logfc(|;\^|) = l + 2a + o(l) 

for all choices of a G M^ but no better than this. 

In the present paper we shall introduce a new family of small-bias spaces 
using a combination of Hermitian codes as outer code. This family gives 

log,(|Af|) = ^ + ^a + o(l) 



for all choices of a G M+. We allow 2g < m and it is therefore surprising 
that for a g]1, oo[ the achievements are better than those of the Herniitian 
codes with g < m. Our small-bias spaces perform better than the ones 
derived from norm-trace codes for all / > 5 (see Section [5] for the proof) . 
For a < 1 they behave better than what can be achieved using Reed- 
Solomon codes as outer code. For a < 1 admittedly the new e-bias spaces 
perform worse than the spaces coming from the AG construction. This, 
however, is only part of the picture. It turns out that to construct the 
spaces with a < 1/2 from the AG construction requires quite a number of 
operations. In contrast, our construction is considerable faster. We shall 
revert to this issue in Section SI Before dealing with the new construction 
we will investigate how to ensure e = k~°' in the case of the AG bound. 
It turns out that for a < 1/2 the situation is rather complicated. We 
include the description here, as to our best knowledge, the details cannot 
be found in the literature. 

2 The AG-bound 

Let g be a power of 2 and consider an algebraic function field over Fg2 of 
genus g with at least M = {q — l)g rational places. That is, the function 
field attains the Drinfeld-Vladut bound. As noted in the introduction 
Theorem [2] equipped with a one-point algebraic geometric code from the 
above function field produces e-bias spaces ^ C Fg with 

l-^l = O (-J^) ■ (4) 



e 



log2(i) 



In the following we investigate how to achieve corresponding values e and 
k under the requirement e = k~°', a > 0, and k — )• oo. Observe, that in 
this situation for any fixed a we have e — t- 0. For completeness we start 
by proving ([4]) in this setting. 

Consider rational places Pi, ... , Pj\f-i, Q and let ?7 = Pi -|- • • • -|- Pa^-i 
and G = {ag)Q with a > 1. The code Cc(U, G) has parameters N = {q — 
l)g-l, K > degG-g = {a-l)g, andD>N-degG = {{q-l)-a)g-l. 
As we are interested in asymptotics we shall assume N = (q — l)g and 
D > {{q—l)—a)g. From Theorem[2]we get e-bias spaces with e = a/{q—l), 
X C F^^''^ Here, k = 21og2(g)(o - l)g and we have \X\ = q^N = 
{q^ — q^)g. As a is bounded below by 1 and e — )• we need g — ;■ oo when 
fc — )■ cx). So the task basically boils down to establishing a sequence of 
function fields over increasingly large fields and a corresponding function 
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a{q) such that 

2log2{q){a - l)g 



\X\ =o 



Vii^J log^^ 



g-i 



(5) 



Note that the argument on the right side is a function in the single variable 
q as by construction now ^r is a function of q. We have 

21og2(g)(a-l)5 ^ 1 log2(9)(« - 1) 

^ TT. ', ^ ; ; — TT Kt 



^)'log2(2^) '~ 2a3(log2((?-l)-log2(a))' 

as (g — 1)^ > liq^ — q^) holds for g > 2. In conclusion ([5]) holds if 
a{q)=0{l). 

We first assume that the sequence of function fields are the Hermitians 
which are function fields with g = q{q — l)/2. Here, actually the number 
of rational places is 2qg + cf' + 1 but we shall only use {q — l)g of them. 
Let a = 1 + q~'^ where < c < 2. Clearly, a{q) = O (1) as requested. 
We have k = 2log2{q)q~'^g = q'^~^q^ where f3(q) — )■ for g — )• oo. Hence, 
asymptotically e = /;;"" with a = 1/(2 — c). In other words the situation 
is clear for a e [|,oo[. 

To achieve a e]0, ^[ is more difficult. The problem is to keep a{q) = O (1) 
at the same time as having e = A;~". For this purpose we consider families 
of towers of function fields over F„2 attaining the Drinfeld-Vladut bound 
[5]. We will need one tower for each value of q. Note that in such a 
tower for arbitrary i; > 2 we can find a function field with g > q^ . Say 
g = q^+d-ii) ^ where d{q) > holds. Let a{q) = 1 + q~'^^'^^ then clearly 
a{q) = O (1) holds. We have k = 2log2{q){a-l)g = q''^^ where /3(g) -)■ 
for q — )• oo. Also e = g"^"*""^ where 7(5) — )• for q — )• 00. Hence, /c~" = e 
asymptotically means va = 1 ^ a = 1/v. As we only assumed u > 2 we 
have established that all a g]0, i[ can be attained. 

For our purpose the best candidate for a family of good towers of function 
fields is the second construction by Garcia and Stichtenoth [3]. In [TB] it 
was shown how to construct Cc{U, G) codes from this tower using 

0{{N\og^{N)f) (6) 

operations over F„2 . Although we might only need codes of small dimen- 
sion the method as stated requests us to find bases for all one-point codes. 
As shall be demonstrated in Section|4]the small-bias spaces of the present 
paper can be constructed much faster than what ^ guarantees for the 
AG construction. 



3 The new small-bias spaces 

In the present paper we propose a new choice of outer codes in the con- 
struction of Theorem [2j As already mentioned this results in small-bias 
spaces with good properties. The new choice of outer codes is derived by 
combining two Hermitian codes as described below. The easiest way to 
explain the combination is by using the language of affine variety codes [1] 
and we therefore start our investigations with a presentation of Hermitian 
codes as such. 

Definition 3. Given a monomial ordering -< and an ideal I C F[Xi, . . . , X^] 
(here F is any field) the footprint is 

Z\^(/) := {X"^ ■ ■ ■ X^™ I X^^ ■ ■ ■ X'^ is not a leading monomial 

of any polynomial in /}. 

We have the following two useful results [S] Pro. 4 and Pro. 8, Sec. 5.3]. 

Theorem 3. Theset{M+I \ M G Z\^(/)} is ahasis for¥[Xi,. . . ,Xm]/I 
as a vector space over F. 

As a corollary one gets the following result often referred to as the foot- 



print bound [719]. 

Theorem 4. Assume I is zero- dimensional (meaning that A^[I) is fi- 
nite). The variety Yf{I) satisfies |Vf(/)| < |Z\^(/)|. 

Consider the Hermitian polynomial X"^^^ — Y'^ — Y and the corresponding 
ideal 

/ = (X«+i - y? _ y ) c ¥g2 [X, Y] . 

Define a monomial function w by w{X) = q and w{Y) = (g + 1) and 
consider the weighted degree monomial ordering ^^ given by X'^^Y"^ -<^ 
X"2y/^2 ^f Qjjg Qf ^jjg following two conditions holds: 

2. t(;(X°iy^i) = w(X"2y/32) but /3i < /32. 

Observe for later use that no two different monomials in 

A^JI) = {X'Y^ \0<i and < j < q} 

are of the same weight implying that w : Z\_<„(/) — >■ {q, q+l) is a bijection. 
Observe also that the Hermitian polynomial X'^'^^ — Y'^ — Y contains 
exactly two monomials of highest weight. The implication of this is that 

w{lm{F{X,Y)) = w(lm{F{X,Y) rem {X'?+^ -Y'^ - Y}) 



holds for any polynomial F{X, Y) that possesses exactly one monomial 
of highest weight in its support. 
Consider next the ideal 



The variety Vf 2 i-^) = ^F 2 (-^g^ ) consists oi n = q^ different points 
{Pi, . . . Pn}. The set {X-?" - X, X^+i _ y? _ y} constitutes a Grobner 
basis for 7^2 with respect to -<^ and therefore 

A^JIg2) = {X'Y^ \0<i<q^O<j<q} 

holds. It now follows from Theorem [3] that 

{X-^Y^ + Ig2\0<i<q\0<j <q} 

is a basis for ¥^2 [X, Y] jl^i as a vector space over Fg2 . The code construc- 
tion relies on the bijective evaluation map ev : Fg2[X, y]//g2 — )• F^a given 
by ev(F(X,y) + 1^2) = (F(Pi), . . . ,F(P„)). Theorem |1 tells us that we 
can estimate the Hamming weight of a word c = ev(P(X, y) + 1^2) by 



u;^(c)>n-|Z\^J(F(X,y)) + L 



Without loss of generality we can assume Supp(F) C Z\_.^(/g2). From the 
discussion prior to the definition of 1^2 we conclude that no two different 
monomials in F{X, Y) are of the same weight. As a consequence 



w 



{lm{X'^Y^F{X,Y)) = w(lm{X'^Y^F{X,Y) rem {X'+i - Y^ - Y}) 



holds for ah X^y. Write 71 = w(Z\^„(/)) = {q,q+l),A* = w{A^^{Ig2)) C 
A and A = u;(lm(F)) G Tl*. We have 

|Z\^J(F(X,y)) +V)| < |(.l* - (A + .l))| < |(.1\(A + ^)| = A, 

where the last equality comes from [Iff, Lem. 5.15]. Hence, wh{c) >n — X 
holds. Observe that 

yl* = {Ai, . . . , Ag} U {2g, . . . , n - 1} U {Xn-g+u • • • , An}, (7) 

where Aj < g — l+i for i = 1, . . . ,g. This is a general result for Weierstrass 
semigroups and not particular for the Hermitian function field. Having 
described the Hermitian codes as affine variety codes we are now ready to 
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introduce the combination of codes on which our construction of small- 
bias spaces rely. Consider the ideal 

if := {Xt^'-Y^-Y^^Xl+'-Y^-Y.^xf -X,,Yf -Y,,xf -X^^Yf -Y,) 

and the corresponding variety 

Vf,, {if) = Vf,, (/,2) X Vf^, (7,2) = {Qi, . . . , Q,6}. 

Define a monomial function w^"^' given by w^'^'{Xi) = (9, 0), w^'^'iYi) = 
(g + l,0),w(2)(X2) = (0,g), and finally u; (2) (^2) = (0,g + l). Let -<pj2 be 
any monomial ordering on Nq and define ^^(2) by 

„{1) aW (2) (2) (1) (1) (2) (2) 

Xf 1 yf 1 ^2^ YP ^(„2) ^^"2 y^/^2 ^^"2 Yp 

if one of the following two conditions holds: 

^(1) fl(l) ^(2) „{2) (1) „(1) (2) „(2) 

1. t.(2)(xr^ y/^ xp Yi^ )^^.w('){xp Yf^ xp yS- ) 

^(1) rt(l) ^(2) „(2) (1) „(1) (2) „{2) 

2. w;(2)(^^"i y^/3i ^°i y^/3i ) = yjm^xp y/2 ^2"=^ y2''=^ ) 

but 

„{1) g(l) ^(2) .(2) (1) „(1) (2) (2) 

\^"l vPl \^"l V*^! ^, V 2 v'^2 \^"2 v'^2 

-^1 ^1 ^2 ^2 ^lex ^1 M ^2 ^2 ■ 

Here, Xi >-Iq^ Yi >-Iq^ X2 ^jgx ^2 is assumed. The set {Xf — Y^ — 
Yi, Xp^ - Y^ - Y2, xf - Xi,xf - X2} is a Grobner basis for I^f with 
respect to -<^(2) giving us the basis 

{Xi'Y^Xi^Yp + V I < h,i2 < g^0 < ii,j2 < q} 

(2) 
for ¥g2[Xi,Yi,X2,Y2]/1 2 as a vectorspace over Fg2. For the code con- 
struction we need the following bijective evaluation map 

Ev : F,2 [Xi , yi , X2 , ys] //(') ^ Fj' 

given by EX{F{Xi,Yi,X2,Y2) + lf) = (F(Qi, ),..., F(Q,6)). Define 
yl(2) = yl X yl and (tI^^))* = yl* x yl*. We have 

where no two monomials in Z\_< .^Jl 2) have the same weight. Simi- 
lar to the situation of a Hermitian code we consider a codeword c = 
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('2) 

FiV{F{Xi,Yi,X2,Y2) + / 2 ) where without loss of generahty we will as- 
sume that F(Xi,Yi,X2,Y2) G A^ ,,,{1^2 )■ We write A^^) = (Ai,A2) = 
w^'^>{\v[i{F)). We can estimate 



\A^^^,^{{F{Xi,Y^,X2,Y2)) + lf)\ < 1.1(2) - (A(2) +^(2))| 

<q^-{q^-X,){q^-X2). 



Hence, wnic) > {q^ - Xi)iq^ - A2). 

Consider the code E{6) which is to Hermitian codes what Massey-Costello- 

Justesen codes [13] are to Reed-Solomon codes 



Ei6) := Span^^^ UviXi'Y^'X'^^Yi' + I^^) \ < h,i2 < q\ < ji, J2 < 9, 
(g3 - w{X\^Yl^)){q^ - w{Xiwi')) > S 

Prom our discussion we conclude that the minimum distance satisfies 
d{E{5)) > S. To estimate the dimension we make use of the characteri- 
zation ([7]). The task is to estimate the number of (Ai,A2)s that satisfies 
(g^ — Ai)(g^ — A2) > S. For this purpose we can replace A* with 

{g,g + l,...,q^ -1}U {Xn-g+i, ■■■, A„}. 

When estimating the dimension k{E{6)) we shall furthermore ignore the 
elements in {Xn-g+i, • • • , A„}. Writing T = q^ — g we thereby get 

k{E{6)) > \{{i,j) \0<i,j<T-l,{T- i){T - j) > 6}\ 

> J^ J^ djdi = r2 - <5 + In f ^ 

where the last inequality holds under the assumption 6 >T. 

Proposition 1. Assume 6 > T where T = q^ — g. The parameters of 
E{6) are [n = q^,k >T'^-6 + 5ln{6/T^),d>6]. 

— ^2) 

In [8] Feng- Rao improved codes C{6) over ¥q2[Xi,Yi,X2,Y2]/I 2 were 
considered and a formula similar to the above proposition was derived 
under a stronger assumption on 6. Feng-Rao improved codes are described 
by means of their parity check matrix which is not very useful when 
the aim is to construct a small-bias space. This is why we included the 
description of E{6) in the present paper. We have a proof that E{6) = 
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C{6), however, we do not include it here as it has no imphcation for the 
construction of small-bias spaces. Observe that to derive Proposition [1] 
we did not use detailed information about the Weierstrass semigroup A 
but relied only on the genus and the number of roots of the Hermitian 
polynomial. Proposition [T] can be generalized to hold for not only two 
copies of Hermitian function fields but to arbitrary many such copies. 
Such constructions, however, are not useful when dealing with small-bias 
spaces so we do not treat them here. 
From Proposition [1] and Theorem [2] we get a new class of e-bias spaces: 

Theorem 5. For any e, < e < 1 using codes E{S) as outer code in the 
construction of Theorem\^ one can construct e-bias spaces with 

Proof. In the following we will use the substitution 1 — e = 6/N which 
follows from e = {N - 6)/N. Assume 6 > VN. We then have S > T 
which is the condition in Proposition [TJ Note that 6 > \/iV is equivalent 
to e < 1 — {1/\/N). For A^ — )• oo this becomes e < 1 which is actually no 
restriction at all. From the proposition we get 

> r^-^ -^ + ^ln' 



N - \ q^ J g6 q6 y(^q3 _ gy 
> o(l) + 1 - (1 - e) + (1 - e) ln(l - e) 
= o(l) + e+(l-e)ln(l-e). 



With q"^ = 2* we have 



s \o{l) +€ + {!-€) ln{l-e) 

But 1^1 = (2*)^ implies 2** = |^|^/^ and ([8]) has been demonstrated. 

Theorem 6. Consider the family of e-bias spaces in Theorem O Given 
a G M"^ choose e = k~" and let k ^ oo. We have 

log,{\X\) = ^ + la + o{l). (9) 



Proof. We have 



log,(| A-l) < ^ - ^ logfc(e + (1 - e) ln(l - e)). 
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We now apply Taylors formula to derive ln(l — e) = — e — e^/2(l — c)^ for 
some c S [0, e]. This produces 

log,{\X\)<^-UogJe+{l-e){-e 



3 3 ^'^ V 2(1 -e) 

4 4^ / 2/^2(1 -e)2-e2 
<---logJe2/ V ^ 



2 



3 3 ^'^ V V (1 - e)^ 
With e = A;~" we arrive at ([9]). 

4 Time complexity considerations 

To build the multiset X in our construction we need to construct a gener- 
ator matrix for the concatenated code. This involves the following tasks: 

1. Build the generator matrix Gi for E{5). 

2. Express every entry of Gi as a binary vector giving us G2 (a matrix 
with binary vectors as entries). 

3. For every row in G2 we produce s = log2((?^) rows. This is done by 
taking cyclic shifts of all the vectors appearing in the row. We arrive 
at a matrix G3. 

4. Every entry in G3 is a vector of length s and it must be multiplied with 
the s X 2^* generator matrix of the Walsh-Hadamard code producing 
G4. 

The total cost in binary operations is estimated as follows: 

1. Determining functions and points for the code construction is inexpen- 
sive. To produce one entry costs O (log(A^) log(log(A^))) operations. 
Gi isa-fCxiVmatrix. Using Er<iV-L> -M,e = {N -D)/N, e = k''^, 
and k = iriog2(A^)/6 we arrive at K < N^^F^ {log2{N))^6^ . So 
the price for building d is O A^i+" (log(A^))i+" log(log(iV)) 



2. To produce one entry in G2 costs O iNs log(A^3) log(log(A^3)) ) op- 
erations. That is, to produce G2 from Gi amounts to 

/ 7+4a 1 \ 

O lN3+3^ log(A^)i+" log(log(iV)) operations. 



1 



3. There will be O ( A^i+« (log(A^))i+'» I entries in G3 each coming with 



2 + a 2+a ' 

a cost of s operations. Altogether we have O ( N'^+°' (log(A^)) i+" ) op- 
erations. 
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4. The price for multiplying with a generator matrix for the Walsh- 
Hadamard code is A^3 log(A^) giving a total cost of 

(7+4a 2 + a \ 

Ar3+3^(log(Ar))TT^j (lo) 

operations for producing G4 from G3. 

Clearly, the overall cost is that of (jlOp . Note that (jlOp counts binary 
operations in contrast to ([6]) which counts operations in ¥^2. 

5 Small-bias spaces from norm-trace codes 

The method developed by Ben-Aroya and Ta-Shma for Hermitian codes 
in [2] were generalized to norm-trace codes by Matthews and Peachey 
in [12]. Given r > 2 consider the Cab curve [TTj 

Q —1 r — 1 r — 2 

known as the norm-trace curve over F^r [6j. Clearly, r = 2 corresponds to 
the Hermitian function field. The following theorem from [12] coincides 
with ([3]) when / = 4. 

Theorem 7. Given an integer I, I > A, define r = [(^ + 2)/3j . iei k he 
a positive integer and e a real number, < e < 1 such that 

< k"^ (11) 



(log,(l/e))vi 

holds. Here, v is any fixed real number larger than 1. Using the norm-trace 
function field over F^r one can construct an e-bias space A* C Fg with 



i±l' 



\x\ = 



e'-v^log,(l/e) 



In the above theorem it is not completely clear how well the cases / > 5 
compete with the case / = 4. Below we address this question and also 
compare the small-bias spaces from Theorem [7] with those achieved by 
using the codes E{5) as is done in the present paper. 
We first translate Theorem [7] into the setting from Section [Tj where for 
increasing k and fixed a we consider a sequence of e-bias multisets with 
e = k^". Condition (jlip from Theorem [7] then translates into 

k^-'^^i <a\og„ik). 
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For fixed v, log^(A;) = O {k^) holds for any /3 > 0. Therefore we have 

1 — avl < logj;.(a). 

Letting /c — >• cx) we get the condition 

1 

—p < a. 

Vi~ 

Theorem [7] therefore guarantees that for any a > l/yl we can construct 
an infinite sequence of e-bias spaces with e = /c~", Af C F2 such that 

log.dA-l) = i±l{l + a{l- Vl)) + 0(1). (12) 

Given an a and two integers /i,/2 ^ 4 with a > l/\//i) i = 1,2 it is 
clear from (|12p that the best result is obtained by choosing the smallest 
li . So the advantage of Theorem [7] over ([3]) boils down to the fact that 
Theorem [7] allows for any a provided that the I is chosen accordingly 
while ([3|) requires a > 1/2. Recall from Section [3] that using the code 
E{5) in the construction of Theorem [2] one achieves 

log,(|^|) = ^ + ^a + o(l) (13) 

for any choice of a. We now compare this result with (J12p ignoring of 
course the o(l) parts. For fixed / p2|) is a linear expression in a which is 
smaller than the linear expression from (J13p when a = 0. We now show 
that for a = l/v/ (which is the smallest a allowed) (I12p is larger than 
(J13p when / > 5. It follows that none of the cases / > 5 can compete with 
the construction of the present paper. To show that (I12p is larger than 
(fTSll for a = l/Vl we substitute k = Vl into (Il2D-([T3D to get 

F^^'"3^'"3^^- 

The function /c^ — ^ A;^ — |/c is positive for k belonging to the interval from 
to approximately 2.119 and negative for higher values of k. Therefore 
for all/ > 5 indeed ([ED is better than ([12]). 
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